[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Sid SELinux packages are now working

On Wed, 9 May 2007 13:00:14 +0200, Gabor Gombas <gombasg@sztaki.hu> said: 

> Well, I don't know much about SElinux (yet) but how about storing the
> modified module at a different location (say under
> /var/selinux/local-policy)? That way the update script can be taught
> to simply ignore the shipped module if a customized module with the
> same name exists, and use your customized version instead. No need to
> play with version numbers, no need to check if the file was changed.

        Sure. The problem is when your policy .deb is upgraded, and the
 postinst tries to refresh the installed policy (perhaps asking using
 debconf to ask you). At this point, I know how to look up the version
 of the policy module foo that is installed (and is also present in
 /etc/selinux/<policy-type>/modules/active/modules/foo.pp). But I do not
 know the version of /usr/share/selinux/<policy-type>/foo.pp.

        I can, of course, determine that these two files are different
 /etc/selinux/<policy-type>/modules/active/modules/foo.pp and
 /usr/share/selinux/<policy-type>/foo.pp -- but Ercih wants me to be
 version aware, and that is the problem.

        I am not sure I can see how we can easily change the location of
 the policy store ( /etc/selinux/<policy-type>/modules/active/modules),
 if you think the store location should be changed.

"If you are patient in one moment of anger, you will escape a hundred
days of sorrow." -Chinese Proverb
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: